* [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? @ 2014-09-13 13:55 Peter Todd 2014-09-13 14:03 ` Jeff Garzik 0 siblings, 1 reply; 18+ messages in thread From: Peter Todd @ 2014-09-13 13:55 UTC (permalink / raw) To: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 280 bytes --] So far I have zero evidence that the common claim that "Satoshi PGP signed everything" was true; I have no evidence he ever cryptographically signed any communications at all. -- 'peter'[:-1]@petertodd.org 00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 650 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-13 13:55 [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? Peter Todd @ 2014-09-13 14:03 ` Jeff Garzik 2014-09-14 6:28 ` Peter Todd 0 siblings, 1 reply; 18+ messages in thread From: Jeff Garzik @ 2014-09-13 14:03 UTC (permalink / raw) To: Peter Todd; +Cc: Bitcoin Dev That claim is horse manure :) He never signed private emails sent to me, nor the forum posts. He -might- have signed the occasional thing related to releases, I'm not sure. On Sat, Sep 13, 2014 at 9:55 AM, Peter Todd <pete@petertodd.org> wrote: > So far I have zero evidence that the common claim that "Satoshi PGP > signed everything" was true; I have no evidence he ever > cryptographically signed any communications at all. > > -- > 'peter'[:-1]@petertodd.org > 00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-13 14:03 ` Jeff Garzik @ 2014-09-14 6:28 ` Peter Todd 2014-09-15 7:23 ` Thomas Zander 0 siblings, 1 reply; 18+ messages in thread From: Peter Todd @ 2014-09-14 6:28 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1525 bytes --] On Sat, Sep 13, 2014 at 10:03:20AM -0400, Jeff Garzik wrote: > That claim is horse manure :) He never signed private emails sent to > me, nor the forum posts. That's consistent with what everyone else is saying: https://twitter.com/petertoddbtc/status/509614729879642113 > He -might- have signed the occasional thing related to releases, I'm not sure. Doesn't seem like there's any evidence of that either. For instance the archive.org Jan 31st 2009 capture of bitcoin.org with v1.3 has a link to his PGP key, but the release itself is unsigned: https://web.archive.org/web/20090131115053/http://bitcoin.org/ Similarly the Nov 29 2009 capture of the sourceforge download directory has releases v0.1.0, v0.1.2, v0.1.3, and v0.1.5, none of which have signatures: https://web.archive.org/web/20091129231630/http://sourceforge.net/projects/bitcoin/files/Bitcoin/ The earliest signature I can find is from v0.3.20 from Gavin Andresen: https://web.archive.org/web/20110502125522/http://sourceforge.net/projects/bitcoin/files/Bitcoin/bitcoin-0.3.20/ Earliest sig in the git commit history is the v0.3.21 tag, again from Gavin. My best guess is Satoshi only created the PGP key in case someone needed to send him a security-related bug report. Which leads to a related question: Do we have any evidence Satoshi ever even had access to that key? Did he ever use PGP at all for anything? -- 'peter'[:-1]@petertodd.org 00000000000000000ce4f740fb700bb8a9ed859ac96ac9871567a20fca07f76a [-- Attachment #2: Digital signature --] [-- Type: application/pgp-signature, Size: 650 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-14 6:28 ` Peter Todd @ 2014-09-15 7:23 ` Thomas Zander 2014-09-15 9:49 ` Melvin Carvalho 2014-09-15 13:08 ` Jeff Garzik 0 siblings, 2 replies; 18+ messages in thread From: Thomas Zander @ 2014-09-15 7:23 UTC (permalink / raw) To: bitcoin-development On Sunday 14. September 2014 08.28.27 Peter Todd wrote: > Do we have any evidence Satoshi ever even had access to that key? Did he > ever use PGP at all for anything? Any and all PGP related howtos will tell you that you should not trust or sign a formerly-untrusted PGP (or GPG for that matter) key without seeing that person in real life, verifying their identity etc. I think that kind of disqualifies pgp for identity purposes wrt Satoshi :-) -- Thomas Zander ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 7:23 ` Thomas Zander @ 2014-09-15 9:49 ` Melvin Carvalho 2014-09-15 13:08 ` Jeff Garzik 1 sibling, 0 replies; 18+ messages in thread From: Melvin Carvalho @ 2014-09-15 9:49 UTC (permalink / raw) To: Thomas Zander; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 1255 bytes --] On 15 September 2014 09:23, Thomas Zander <thomas@thomaszander.se> wrote: > On Sunday 14. September 2014 08.28.27 Peter Todd wrote: > > Do we have any evidence Satoshi ever even had access to that key? Did he > > ever use PGP at all for anything? > > Any and all PGP related howtos will tell you that you should not trust or > sign > a formerly-untrusted PGP (or GPG for that matter) key without seeing that > person in real life, verifying their identity etc. > > I think that kind of disqualifies pgp for identity purposes wrt Satoshi :-) > But I presume that if the key is on bitcoin.org, you can probably infer that the owner of the key and the original owner of bitcoin.org are one and the same ... > > -- > Thomas Zander > > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > [-- Attachment #2: Type: text/html, Size: 2303 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 7:23 ` Thomas Zander 2014-09-15 9:49 ` Melvin Carvalho @ 2014-09-15 13:08 ` Jeff Garzik 2014-09-15 13:32 ` Brian Hoffman ` (2 more replies) 1 sibling, 3 replies; 18+ messages in thread From: Jeff Garzik @ 2014-09-15 13:08 UTC (permalink / raw) To: Thomas Zander; +Cc: Bitcoin Dev On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> wrote: > Any and all PGP related howtos will tell you that you should not trust or sign > a formerly-untrusted PGP (or GPG for that matter) key without seeing that > person in real life, verifying their identity etc. Such guidelines are a perfect example of why PGP WoT is useless and stupid geek wanking. A person's behavioural signature is what is relevant. We know how Satoshi coded and wrote. It was the online Satoshi with which we interacted. The online Satoshi's PGP signature would be fine... assuming he established a pattern of use. As another example, I know the code contributions and PGP key signed by the online entity known as "sipa." At a bitcoin conf I met a person with photo id labelled "Pieter Wuille" who claimed to be sipa, but that could have been an actor. Absent a laborious and boring signed challenge process, for all we know, "sipa" is a supercomputing cluster of 500 gnomes. The point is, the "online entity known as Satoshi" is the relevant fingerprint. That is easily established without any in-person meetings. -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:08 ` Jeff Garzik @ 2014-09-15 13:32 ` Brian Hoffman 2014-09-15 14:33 ` Jeff Garzik ` (2 more replies) 2014-09-15 14:44 ` Venzen 2014-09-15 18:06 ` Justus Ranvier 2 siblings, 3 replies; 18+ messages in thread From: Brian Hoffman @ 2014-09-15 13:32 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle. The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature. I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation. > On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > >> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> wrote: >> Any and all PGP related howtos will tell you that you should not trust or sign >> a formerly-untrusted PGP (or GPG for that matter) key without seeing that >> person in real life, verifying their identity etc. > > Such guidelines are a perfect example of why PGP WoT is useless and > stupid geek wanking. > > A person's behavioural signature is what is relevant. We know how > Satoshi coded and wrote. It was the online Satoshi with which we > interacted. The online Satoshi's PGP signature would be fine... > assuming he established a pattern of use. > > As another example, I know the code contributions and PGP key signed > by the online entity known as "sipa." At a bitcoin conf I met a > person with photo id labelled "Pieter Wuille" who claimed to be sipa, > but that could have been an actor. Absent a laborious and boring > signed challenge process, for all we know, "sipa" is a supercomputing > cluster of 500 gnomes. > > The point is, the "online entity known as Satoshi" is the relevant > fingerprint. That is easily established without any in-person > meetings. > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:32 ` Brian Hoffman @ 2014-09-15 14:33 ` Jeff Garzik 2014-09-15 14:49 ` Brian Hoffman 2014-09-15 14:38 ` ThomasZander.se 2014-09-15 15:10 ` Thomas Zander 2 siblings, 1 reply; 18+ messages in thread From: Jeff Garzik @ 2014-09-15 14:33 UTC (permalink / raw) To: Brian Hoffman; +Cc: Bitcoin Dev It applies to OP, bitcoin community development and Satoshi. "value of in person vetting of identity is undeniable"... no it is quite deniable. Satoshi is the quintessential example. We value brain output, code. The real world identity is irrelevant to whether or not bitcoin continues to function. The currency of bitcoin development is code, and electronic messages describing cryptographic theses. _That_ is the relevant fingerprint. Governmental id is second class, can be forged or simply present a different individual from that who is online. PGP WoT wanking does not solve that problem at all. On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail.com> wrote: > I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle. > > The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature. > > I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation. > > > >> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: >> >>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> wrote: >>> Any and all PGP related howtos will tell you that you should not trust or sign >>> a formerly-untrusted PGP (or GPG for that matter) key without seeing that >>> person in real life, verifying their identity etc. >> >> Such guidelines are a perfect example of why PGP WoT is useless and >> stupid geek wanking. >> >> A person's behavioural signature is what is relevant. We know how >> Satoshi coded and wrote. It was the online Satoshi with which we >> interacted. The online Satoshi's PGP signature would be fine... >> assuming he established a pattern of use. >> >> As another example, I know the code contributions and PGP key signed >> by the online entity known as "sipa." At a bitcoin conf I met a >> person with photo id labelled "Pieter Wuille" who claimed to be sipa, >> but that could have been an actor. Absent a laborious and boring >> signed challenge process, for all we know, "sipa" is a supercomputing >> cluster of 500 gnomes. >> >> The point is, the "online entity known as Satoshi" is the relevant >> fingerprint. That is easily established without any in-person >> meetings. >> >> -- >> Jeff Garzik >> Bitcoin core developer and open source evangelist >> BitPay, Inc. https://bitpay.com/ >> >> ------------------------------------------------------------------------------ >> Want excitement? >> Manually upgrade your production database. >> When you want reliability, choose Perforce >> Perforce version control. Predictably reliable. >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> _______________________________________________ >> Bitcoin-development mailing list >> Bitcoin-development@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development -- Jeff Garzik Bitcoin core developer and open source evangelist BitPay, Inc. https://bitpay.com/ ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 14:33 ` Jeff Garzik @ 2014-09-15 14:49 ` Brian Hoffman 2014-09-15 14:55 ` Pieter Wuille 0 siblings, 1 reply; 18+ messages in thread From: Brian Hoffman @ 2014-09-15 14:49 UTC (permalink / raw) To: Jeff Garzik; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 4518 bytes --] In the context of Bitcoin I will concede that perhaps it holds true for now. I also never said the actual credential you receive from a government agency is trustable. I completely agree that they are forgeable and not necessarily reliable. That was not my point. I was referring to the vetting process before issuance. Just as you have behavioral characteristics online that contribute to trusting an "identity" you also exhibit in person attributes, such as physically being in a specific location at a certain time or blue eyes or biometrics, that are valuable. You simply cannot capture those in an online-only world. I don't see how you can deny the value there. You are most certainly and undeniably the expert in the Bitcoin context here so I will not even attempt to argue with you on that, but I just think it's not realistic to ignore the value of an in-person network in other contexts. You called it "geek wanking" with no qualifier "in the Bitcoin context" so excuse me if I misunderstood your intent. On Mon, Sep 15, 2014 at 10:33 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > It applies to OP, bitcoin community development and Satoshi. > > "value of in person vetting of identity is undeniable"... no it is > quite deniable. Satoshi is the quintessential example. We value brain > output, code. The real world identity is irrelevant to whether or not > bitcoin continues to function. > > The currency of bitcoin development is code, and electronic messages > describing cryptographic theses. _That_ is the relevant fingerprint. > > Governmental id is second class, can be forged or simply present a > different individual from that who is online. PGP WoT wanking does > not solve that problem at all. > > > > > > > On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail.com> > wrote: > > I would agree that the in person aspect of the WoT is frustrating, but > to dismiss this as "geek wanking" is the pot calling the kettle. > > > > The value of in person vetting of identity is undeniable. Just because > your risk acceptance is difference doesn't make it wanking. Please go see > if you can get any kind of governmental clearance of credential without > in-person vetting. Ask them if they accept your behavioral signature. > > > > I know there is a lot of PGP hating these days but this comment doesn't > necessarily apply to every situation. > > > > > > > >> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > >> > >>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> > wrote: > >>> Any and all PGP related howtos will tell you that you should not trust > or sign > >>> a formerly-untrusted PGP (or GPG for that matter) key without seeing > that > >>> person in real life, verifying their identity etc. > >> > >> Such guidelines are a perfect example of why PGP WoT is useless and > >> stupid geek wanking. > >> > >> A person's behavioural signature is what is relevant. We know how > >> Satoshi coded and wrote. It was the online Satoshi with which we > >> interacted. The online Satoshi's PGP signature would be fine... > >> assuming he established a pattern of use. > >> > >> As another example, I know the code contributions and PGP key signed > >> by the online entity known as "sipa." At a bitcoin conf I met a > >> person with photo id labelled "Pieter Wuille" who claimed to be sipa, > >> but that could have been an actor. Absent a laborious and boring > >> signed challenge process, for all we know, "sipa" is a supercomputing > >> cluster of 500 gnomes. > >> > >> The point is, the "online entity known as Satoshi" is the relevant > >> fingerprint. That is easily established without any in-person > >> meetings. > >> > >> -- > >> Jeff Garzik > >> Bitcoin core developer and open source evangelist > >> BitPay, Inc. https://bitpay.com/ > >> > >> > ------------------------------------------------------------------------------ > >> Want excitement? > >> Manually upgrade your production database. > >> When you want reliability, choose Perforce > >> Perforce version control. Predictably reliable. > >> > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Bitcoin-development mailing list > >> Bitcoin-development@lists.sourceforge.net > >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > [-- Attachment #2: Type: text/html, Size: 6104 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 14:49 ` Brian Hoffman @ 2014-09-15 14:55 ` Pieter Wuille 0 siblings, 0 replies; 18+ messages in thread From: Pieter Wuille @ 2014-09-15 14:55 UTC (permalink / raw) To: Brian Hoffman; +Cc: Bitcoin Dev [-- Attachment #1: Type: text/plain, Size: 5482 bytes --] WoT is a perfectly reasonable way to establish trust about the link between an online identity and a real world identity. In the case of a developer with an existing reputation for his online identity, that link is just irrelevant. On Sep 15, 2014 4:52 PM, "Brian Hoffman" <brianchoffman@gmail.com> wrote: > In the context of Bitcoin I will concede that perhaps it holds true for > now. > > I also never said the actual credential you receive from a government > agency is trustable. I completely agree that they are forgeable and not > necessarily reliable. That was not my point. I was referring to the vetting > process before issuance. > > Just as you have behavioral characteristics online that contribute to > trusting an "identity" you also exhibit in person attributes, such as > physically being in a specific location at a certain time or blue eyes or > biometrics, that are valuable. You simply cannot capture those in an > online-only world. I don't see how you can deny the value there. > > You are most certainly and undeniably the expert in the Bitcoin context > here so I will not even attempt to argue with you on that, but I just think > it's not realistic to ignore the value of an in-person network in other > contexts. You called it "geek wanking" with no qualifier "in the Bitcoin > context" so excuse me if I misunderstood your intent. > > > On Mon, Sep 15, 2014 at 10:33 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > >> It applies to OP, bitcoin community development and Satoshi. >> >> "value of in person vetting of identity is undeniable"... no it is >> quite deniable. Satoshi is the quintessential example. We value brain >> output, code. The real world identity is irrelevant to whether or not >> bitcoin continues to function. >> >> The currency of bitcoin development is code, and electronic messages >> describing cryptographic theses. _That_ is the relevant fingerprint. >> >> Governmental id is second class, can be forged or simply present a >> different individual from that who is online. PGP WoT wanking does >> not solve that problem at all. >> >> >> >> >> >> >> On Mon, Sep 15, 2014 at 9:32 AM, Brian Hoffman <brianchoffman@gmail.com> >> wrote: >> > I would agree that the in person aspect of the WoT is frustrating, but >> to dismiss this as "geek wanking" is the pot calling the kettle. >> > >> > The value of in person vetting of identity is undeniable. Just because >> your risk acceptance is difference doesn't make it wanking. Please go see >> if you can get any kind of governmental clearance of credential without >> in-person vetting. Ask them if they accept your behavioral signature. >> > >> > I know there is a lot of PGP hating these days but this comment doesn't >> necessarily apply to every situation. >> > >> > >> > >> >> On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: >> >> >> >>> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander < >> thomas@thomaszander.se> wrote: >> >>> Any and all PGP related howtos will tell you that you should not >> trust or sign >> >>> a formerly-untrusted PGP (or GPG for that matter) key without seeing >> that >> >>> person in real life, verifying their identity etc. >> >> >> >> Such guidelines are a perfect example of why PGP WoT is useless and >> >> stupid geek wanking. >> >> >> >> A person's behavioural signature is what is relevant. We know how >> >> Satoshi coded and wrote. It was the online Satoshi with which we >> >> interacted. The online Satoshi's PGP signature would be fine... >> >> assuming he established a pattern of use. >> >> >> >> As another example, I know the code contributions and PGP key signed >> >> by the online entity known as "sipa." At a bitcoin conf I met a >> >> person with photo id labelled "Pieter Wuille" who claimed to be sipa, >> >> but that could have been an actor. Absent a laborious and boring >> >> signed challenge process, for all we know, "sipa" is a supercomputing >> >> cluster of 500 gnomes. >> >> >> >> The point is, the "online entity known as Satoshi" is the relevant >> >> fingerprint. That is easily established without any in-person >> >> meetings. >> >> >> >> -- >> >> Jeff Garzik >> >> Bitcoin core developer and open source evangelist >> >> BitPay, Inc. https://bitpay.com/ >> >> >> >> >> ------------------------------------------------------------------------------ >> >> Want excitement? >> >> Manually upgrade your production database. >> >> When you want reliability, choose Perforce >> >> Perforce version control. Predictably reliable. >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> Bitcoin-development mailing list >> >> Bitcoin-development@lists.sourceforge.net >> >> https://lists.sourceforge.net/lists/listinfo/bitcoin-development >> >> >> >> -- >> Jeff Garzik >> Bitcoin core developer and open source evangelist >> BitPay, Inc. https://bitpay.com/ >> > > > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development > > [-- Attachment #2: Type: text/html, Size: 7533 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:32 ` Brian Hoffman 2014-09-15 14:33 ` Jeff Garzik @ 2014-09-15 14:38 ` ThomasZander.se 2014-09-15 15:10 ` Thomas Zander 2 siblings, 0 replies; 18+ messages in thread From: ThomasZander.se @ 2014-09-15 14:38 UTC (permalink / raw) To: Bitcoin Dev The reason it is in fact wanking is because pgp tried to solve a problem that can't be solved. It tried to provide distributed trust to a system of identity, while still depending on the local government (i.e centralized) for the upstream ID... It's a marriage that has no benefit. What we really want is (decentralized) identity management that allows me to create a new anonymous ID and use that as something more secure than trusting a behavior pattern to proof it's me. Sent on the go. Excuse the brevity. Original Message From: Brian Hoffman Sent: 15:35 mandag 15. september 2014 To: Jeff Garzik Cc: Thomas Zander; Bitcoin Dev Subject: Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? I would agree that the in person aspect of the WoT is frustrating, but to dismiss this as "geek wanking" is the pot calling the kettle. The value of in person vetting of identity is undeniable. Just because your risk acceptance is difference doesn't make it wanking. Please go see if you can get any kind of governmental clearance of credential without in-person vetting. Ask them if they accept your behavioral signature. I know there is a lot of PGP hating these days but this comment doesn't necessarily apply to every situation. > On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > >> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> wrote: >> Any and all PGP related howtos will tell you that you should not trust or sign >> a formerly-untrusted PGP (or GPG for that matter) key without seeing that >> person in real life, verifying their identity etc. > > Such guidelines are a perfect example of why PGP WoT is useless and > stupid geek wanking. > > A person's behavioural signature is what is relevant. We know how > Satoshi coded and wrote. It was the online Satoshi with which we > interacted. The online Satoshi's PGP signature would be fine... > assuming he established a pattern of use. > > As another example, I know the code contributions and PGP key signed > by the online entity known as "sipa." At a bitcoin conf I met a > person with photo id labelled "Pieter Wuille" who claimed to be sipa, > but that could have been an actor. Absent a laborious and boring > signed challenge process, for all we know, "sipa" is a supercomputing > cluster of 500 gnomes. > > The point is, the "online entity known as Satoshi" is the relevant > fingerprint. That is easily established without any in-person > meetings. > > -- > Jeff Garzik > Bitcoin core developer and open source evangelist > BitPay, Inc. https://bitpay.com/ > > ------------------------------------------------------------------------------ > Want excitement? > Manually upgrade your production database. > When you want reliability, choose Perforce > Perforce version control. Predictably reliable. > http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk > _______________________________________________ > Bitcoin-development mailing list > Bitcoin-development@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/bitcoin-development ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:32 ` Brian Hoffman 2014-09-15 14:33 ` Jeff Garzik 2014-09-15 14:38 ` ThomasZander.se @ 2014-09-15 15:10 ` Thomas Zander 2014-09-15 15:51 ` Matt Whitlock 2 siblings, 1 reply; 18+ messages in thread From: Thomas Zander @ 2014-09-15 15:10 UTC (permalink / raw) To: Bitcoin Dev The reason it is in fact geek wanking is because pgp tried to solve a problem that can't be solved. It tried to provide distributed trust to a system of identity, while still depending on the local governments (i.e. centralization) for the upstream ID. Its a marriage that has no benefits. What we really want is a (decentralized) identity management that allows me to create a new anonymous ID and use that as something more secure when needed that I have to proof its me. So for instance I start including a bitcoin public key in my email signature. I don't sign the emails or anything like that, just to establish that everyone has my public key many times in their email archives. Then when I need to proof its me, I can provide a signature on the content that the requester wants me to sign. All the overhead of PGP and the WoT is really completely unneeded and just means that less people use it. Consider this; people create accounts on GitHub or Reddit and those have in fact more value than your pgp key! Because they got the anonymous part right. On Monday 15. September 2014 09.32.03 Brian Hoffman wrote: > I would agree that the in person aspect of the WoT is frustrating, but to > dismiss this as "geek wanking" is the pot calling the kettle. > > The value of in person vetting of identity is undeniable. Just because your > risk acceptance is difference doesn't make it wanking. Please go see if you > can get any kind of governmental clearance of credential without in-person > vetting. Ask them if they accept your behavioral signature. > > I know there is a lot of PGP hating these days but this comment doesn't > necessarily apply to every situation. > > On Sep 15, 2014, at 9:08 AM, Jeff Garzik <jgarzik@bitpay.com> wrote: > >> On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander <thomas@thomaszander.se> > >> wrote: Any and all PGP related howtos will tell you that you should not > >> trust or sign a formerly-untrusted PGP (or GPG for that matter) key > >> without seeing that person in real life, verifying their identity etc. > > > > Such guidelines are a perfect example of why PGP WoT is useless and > > stupid geek wanking. > > > > A person's behavioural signature is what is relevant. We know how > > Satoshi coded and wrote. It was the online Satoshi with which we > > interacted. The online Satoshi's PGP signature would be fine... > > assuming he established a pattern of use. > > > > As another example, I know the code contributions and PGP key signed > > by the online entity known as "sipa." At a bitcoin conf I met a > > person with photo id labelled "Pieter Wuille" who claimed to be sipa, > > but that could have been an actor. Absent a laborious and boring > > signed challenge process, for all we know, "sipa" is a supercomputing > > cluster of 500 gnomes. > > > > The point is, the "online entity known as Satoshi" is the relevant > > fingerprint. That is easily established without any in-person > > meetings. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 15:10 ` Thomas Zander @ 2014-09-15 15:51 ` Matt Whitlock 2014-09-15 16:07 ` Thomas Zander 2014-09-15 16:10 ` Gregory Maxwell 0 siblings, 2 replies; 18+ messages in thread From: Matt Whitlock @ 2014-09-15 15:51 UTC (permalink / raw) To: Thomas Zander; +Cc: bitcoin-development On Monday, 15 September 2014, at 5:10 pm, Thomas Zander wrote: > So for instance I start including a bitcoin public key in my email signature. > I don't sign the emails or anything like that, just to establish that everyone > has my public key many times in their email archives. > Then when I need to proof its me, I can provide a signature on the content > that the requester wants me to sign. That would not work. You would need to sign your messages. If you were merely attaching your public key to them, then the email server could have been systematically replacing your public key with some other public key, and then, when you would later try to provide a signature, your signature would not verify under the public key that everyone else had been seeing attached to your messages. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 15:51 ` Matt Whitlock @ 2014-09-15 16:07 ` Thomas Zander 2014-09-15 16:10 ` Gregory Maxwell 1 sibling, 0 replies; 18+ messages in thread From: Thomas Zander @ 2014-09-15 16:07 UTC (permalink / raw) To: bitcoin-development On Monday 15. September 2014 11.51.35 Matt Whitlock wrote: > If you were merely attaching your public key to them, then the email server > could have been systematically replacing your public key with some other > public key, The beauty of publicly archived mailinglists make it impossible to get away with this without detection. I recall reading the awesome book "The inmates are running the asylum" which states that solutions created by software engineers typically suffer from the flaw of absolutes. (find the part where he describes homo-digitalus for more) I think this applies to PGP and your objection; in order to make it absolutely correct, you need to introduce loads of things. Signatures, WoT, etc. PGP&GPG do this. But each change of the normal workflow means you loose about 50% of your audience... So, my silly example is not perfect. But I bet its good enough for most. In the end the value of the imperfect solution is higher than the perfect one. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 15:51 ` Matt Whitlock 2014-09-15 16:07 ` Thomas Zander @ 2014-09-15 16:10 ` Gregory Maxwell 2014-09-15 16:20 ` Peter Todd 1 sibling, 1 reply; 18+ messages in thread From: Gregory Maxwell @ 2014-09-15 16:10 UTC (permalink / raw) To: Matt Whitlock; +Cc: Bitcoin Development On Mon, Sep 15, 2014 at 3:51 PM, Matt Whitlock <bip@mattwhitlock.name> wrote: > On Monday, 15 September 2014, at 5:10 pm, Thomas Zander wrote: >> So for instance I start including a bitcoin public key in my email signature. >> I don't sign the emails or anything like that, just to establish that everyone >> has my public key many times in their email archives. >> Then when I need to proof its me, I can provide a signature on the content >> that the requester wants me to sign. > > That would not work. You would need to sign your messages. If you were merely attaching your public key to them, then the email server could have been systematically replacing your public key with some other public key, and then, when you would later try to provide a signature, your signature would not verify under the public key that everyone else had been seeing attached to your messages. If the server could replace the public key, it could replace the signature in all the same places. Please, can this stuff move to another list? It's offtopic. ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 16:10 ` Gregory Maxwell @ 2014-09-15 16:20 ` Peter Todd 0 siblings, 0 replies; 18+ messages in thread From: Peter Todd @ 2014-09-15 16:20 UTC (permalink / raw) To: Gregory Maxwell, Matt Whitlock; +Cc: Bitcoin Development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 15 September 2014 17:10:14 BST, Gregory Maxwell <gmaxwell@gmail.com> wrote: >If the server could replace the public key, it could replace the >signature in all the same places. > >Please, can this stuff move to another list? It's offtopic. +1 My original post was OT really, although obviously this was the right venue to be sure the required audience saw it and settle the question. -----BEGIN PGP SIGNATURE----- Version: APG v1.1.1 iQFQBAEBCAA6BQJUFxHcMxxQZXRlciBUb2RkIChsb3cgc2VjdXJpdHkga2V5KSA8 cGV0ZUBwZXRlcnRvZGQub3JnPgAKCRAZnIM7qOfwhfCtCACLNgMrxRQ4YlX4Tkyt CIlqRh4AOLVRXeh6ER+BJJhJA+hbunNfH6kkROIinpBsFxlRfoHwrv2ax6GIlegO s1+MSLFAoOob3tLQY/LrVF0PMTbKybdQRqQopzu81hbLTCjpnrnN2sDpAOA/bDsV xDTHNVbOWS7UapkZf7AjueDfuyW3yhvcgsq1Tuc4r7pdKCEQA/HjBzIqyFT2K9hp uahaENzCfsCVsEiTmAu+p9EvXhLWmMRfRz15z7D/KtOBTI83/t/WR7UnWlSRHn4i Xyhj/iDv+kPj/vsGXZClCUZ7T/64ovVvoeY9Pk+1fc6okWWXmTHsH+R72szkhgEu O4QP =C27J -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:08 ` Jeff Garzik 2014-09-15 13:32 ` Brian Hoffman @ 2014-09-15 14:44 ` Venzen 2014-09-15 18:06 ` Justus Ranvier 2 siblings, 0 replies; 18+ messages in thread From: Venzen @ 2014-09-15 14:44 UTC (permalink / raw) To: bitcoin-development -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Funny that you should describe WoT that way. According to some psycho-analysts the act of making love to a partner is actually a realization of our subconscious desire to make love to ourselves. So, in this sense, WoT geeks are indeed masturbating, but it's with the good purpose of ensuring that it's being done via the intended recipient and not some imposter or unsuspecting bystander. That's a valid concern, especially as Bitcoin development ranks grow and branch beyond a small core team. On 09/15/2014 08:08 PM, Jeff Garzik wrote: > On Mon, Sep 15, 2014 at 3:23 AM, Thomas Zander > <thomas@thomaszander.se> wrote: >> Any and all PGP related howtos will tell you that you should not >> trust or sign a formerly-untrusted PGP (or GPG for that matter) >> key without seeing that person in real life, verifying their >> identity etc. > > Such guidelines are a perfect example of why PGP WoT is useless > and stupid geek wanking. > > A person's behavioural signature is what is relevant. We know how > Satoshi coded and wrote. It was the online Satoshi with which we > interacted. The online Satoshi's PGP signature would be fine... > assuming he established a pattern of use. > > As another example, I know the code contributions and PGP key > signed by the online entity known as "sipa." At a bitcoin conf I > met a person with photo id labelled "Pieter Wuille" who claimed to > be sipa, but that could have been an actor. Absent a laborious and > boring signed challenge process, for all we know, "sipa" is a > supercomputing cluster of 500 gnomes. > > The point is, the "online entity known as Satoshi" is the relevant > fingerprint. That is easily established without any in-person > meetings. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJUFvsyAAoJENQRrA3m8xlAwkAH/iRekS+Q0jIzaMPFJjD9Qh2e TTpnQ5MyceeWaEQ9BIS9Lp92k/KlhYUmdaHRmmgOuUQZ6VlOmLSyveMe2qpX3igb jZX3ydZe2hs1D3Z48MFyNBz06eufApSi5LC8BvN4bYotOD+/qrrxag+jaU3NjDu3 yCaSF563ZQ9xXkfh5JoZ3SGBcRmR5bS6QAoR29OQXBubriPwJuVxUBB37cfaL2Nf rc67q2KgpU/vOyucxMFZgoP0vDjxUzXTc2ONrEHGJUfdypMADFwXjxeA8ikOt4ik GIB69wMGQiMeE5e3H337yJxYaZJK4R1KnrSLF0j+Vkl3Yy25duBYAbFUGayeTw0= =xR8K -----END PGP SIGNATURE----- ^ permalink raw reply [flat|nested] 18+ messages in thread
* Re: [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? 2014-09-15 13:08 ` Jeff Garzik 2014-09-15 13:32 ` Brian Hoffman 2014-09-15 14:44 ` Venzen @ 2014-09-15 18:06 ` Justus Ranvier 2 siblings, 0 replies; 18+ messages in thread From: Justus Ranvier @ 2014-09-15 18:06 UTC (permalink / raw) To: bitcoin-development [-- Attachment #1.1: Type: text/plain, Size: 908 bytes --] On 09/15/2014 03:08 PM, Jeff Garzik wrote: > Such guidelines are a perfect example of why PGP WoT is useless and > stupid geek wanking. > > A person's behavioural signature is what is relevant. We know how > Satoshi coded and wrote. It was the online Satoshi with which we > interacted. The online Satoshi's PGP signature would be fine... > assuming he established a pattern of use. I wrote up an example of how the WoT and the behavior signature might be combined via a game: http://bitcoinism.blogspot.ch/2013/09/building-pgp-web-of-trust-that-people.html tl;dr: "Identity" is not a name - it's a set of shared experiences with other people. Identity systems that want to be successful should focus on those shared experiences rather than names. -- Support online privacy by using email encryption whenever possible. Learn how here: http://www.youtube.com/watch?v=bakOKJFtB-k [-- Attachment #1.2: 0x38450DB5.asc --] [-- Type: application/pgp-keys, Size: 14265 bytes --] [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 455 bytes --] ^ permalink raw reply [flat|nested] 18+ messages in thread
end of thread, other threads:[~2014-09-15 18:06 UTC | newest] Thread overview: 18+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-09-13 13:55 [Bitcoin-development] Does anyone have anything at all signed by Satoshi's PGP key? Peter Todd 2014-09-13 14:03 ` Jeff Garzik 2014-09-14 6:28 ` Peter Todd 2014-09-15 7:23 ` Thomas Zander 2014-09-15 9:49 ` Melvin Carvalho 2014-09-15 13:08 ` Jeff Garzik 2014-09-15 13:32 ` Brian Hoffman 2014-09-15 14:33 ` Jeff Garzik 2014-09-15 14:49 ` Brian Hoffman 2014-09-15 14:55 ` Pieter Wuille 2014-09-15 14:38 ` ThomasZander.se 2014-09-15 15:10 ` Thomas Zander 2014-09-15 15:51 ` Matt Whitlock 2014-09-15 16:07 ` Thomas Zander 2014-09-15 16:10 ` Gregory Maxwell 2014-09-15 16:20 ` Peter Todd 2014-09-15 14:44 ` Venzen 2014-09-15 18:06 ` Justus Ranvier
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox